From: aranea@aixah.de (Luis Ressel)
Date: Mon, 11 Sep 2017 05:18:27 +0200
Subject: [refpolicy] [PATCH 1/3] postfix: Some table drivers (notably cdb)
	need to mmap() their databases
Message-ID: <20170911031829.4163-1-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This change also grants exim (the other caller of the mta_read_aliases
interface) to map the mail aliases, but that seems minor enough not to
warrant the creation of a new interface.
---
 mta.if     | 2 +-
 postfix.te | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/mta.if b/mta.if
index 2b99dd5..8565982 100644
--- a/mta.if
+++ b/mta.if
@@ -586,7 +586,7 @@ interface(`mta_read_aliases',`
 	')
 
 	files_search_etc($1)
-	allow $1 etc_aliases_t:file read_file_perms;
+	allow $1 etc_aliases_t:file { read_file_perms map };
 ')
 
 ########################################
diff --git a/postfix.te b/postfix.te
index 84e0b5e..eb4af6c 100644
--- a/postfix.te
+++ b/postfix.te
@@ -115,7 +115,7 @@ allow postfix_domain self:fifo_file rw_fifo_file_perms;
 allow postfix_domain self:unix_stream_socket { accept connectto listen };
 
 allow postfix_domain postfix_etc_t:dir list_dir_perms;
-allow postfix_domain postfix_etc_t:file read_file_perms;
+allow postfix_domain postfix_etc_t:file { read_file_perms map };
 allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
 
 allow postfix_domain postfix_master_t:file read_file_perms;
@@ -489,7 +489,7 @@ allow postfix_map_t self:capability { dac_override setgid setuid };
 allow postfix_map_t self:tcp_socket { accept listen };
 
 allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
-allow postfix_map_t postfix_etc_t:file manage_file_perms;
+allow postfix_map_t postfix_etc_t:file { manage_file_perms map };
 allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
 
 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-- 
2.14.1